Pairings on Generalized Huff Curves 



Abdoul Aziz Ciss and Djiby Sow 

Laboratoire d'Algebre, Codage, Cryptologie, Algebre et Applications 
Universite Cheikh Anta Diop de Dakar, Senegal 

BP: 5005, Dakar Fann 
abdoul . ciss@ucad.edu. sn, sowdj ibabOyahoo . f r 



Abstract. This paper presents the Tate pairing computation on gener- 
alized HufT curves proposed by Wu and Feng in [22] • In fact, we extend 
the results of the Tate pairing computation on the standard Huff el- 
liptic curves done previously by Joye, Tibouchi and Vergnaud in [14| . 
We show that the addition step of the Miller loop can be performed in 
lM-|-(fe-|-15)m-|-2c and the doubling one in lM+lS + (fc + 12)m+5s + 2c 
on the generalized Huff curve. 
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1 Introduction 

Pairing computations on elliptic curves were introduced in 1948 by Weil [21] . 
but their utilization in cryptography is actually quite recent. In 1993, Menezes, 
Okamoto and Vanstone in J7] used the Weil pairing to convert the discrete log- 
arithm on some elliptic curves to a discrete logarithm in some extension of the 
base field. 

More recenttly, Frey and Riick [TT] extends the results of Menezes et al. on an 
even wider category of elliptic curves but with the Tate pairing instead of the 
Weil pairing. 

Sakai, Ohgishi and Kasahara fT9| and Joux [Ml proposed independently in 2000 
two cryptosystems using pairings on elliptic curves. In fact, Joux presented a 
DifHe-Hellman look alike protocol, except it allows three entities (instead of two) 
to create and exchange a secret key. Sakai, Ohgishi and Kasahara studied the use 
of pairings in identity-based cryptosystems. The idea of ID-based cryptography 
was introduced in 1984 by Shamir [20]. It consist in cryptosystem where the the 
public key of each entity is directly linked to its identity, which removes the need 
for its certification by a trusted certification authority. 

Boneh and Franklin in |:4, and Cocks [S] proposed separately in 2001 two iden- 
tity based encryption schemes, the first one use the Weil pairing, the second one 
uses properties of quadratic residues. Since then, cryptographic pairings and 
their applications in cryptosystems have caught numerous researchers attention, 
and new ID-based protocols have been presented frequently |3I5I6I7I1"5] . 
Since cryptographic pairings were gaining more and more importance, many 
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researchers lead studies to faniilies of curves where pairings are efficiently com- 
putable |2l9ll0ll2ll6j , as well as studies on efficient algorithms to compute pair- 
ings [1112] . 

In [15] , Joye, Tibouchi and Vergnaud present efficient formulaefor computing the 
Tate pairing on Huff curves. Our contribution in this paper is to extend their 
results on generalized Huff curves proposed by Wu and Feng in [22]. In fact, 
we show that the Tate pairing on generalized Huff curves is as efficient as in 
ordinary Huff curves and is a good choice to implement ID-based cryptography. 
The rest of the paper is organized as follows : in the next section, we recall some 
basic definition and notation on generalized Huff curves and the Tate pairing. 
In section 3, we give the main result of the paper, i.e. formulaefor computing the 
Tate pairing on generalized Huff curves. 

2 Preliminaries 

2.1 Generalized Huff curves 

In [22] , Wu and Feng extend the Huff elliptic curves by introducing the new form 

"Ha, 6 : x{ay^ - 1) = y{bx^ - 1), 

where ah{a ~ b) 7^ 0. This new model contains the ordinary Huff curves as 
particular case. 

If a = /i^ and b = are squares in F, pose x' — vx and y' = ^y. Therefore, 
^x'{y'^ - 1) = yy'{x'^ - 1). 

That means all curves of the form ax(j/^ — 1) = by{x^ — 1) are included in the 
family of curves x{ay'^ — 1) = y{bx^ — 1), where a and b are quadratic residues 
in F. Note that Ha.b is smooth if ab{a — 6) ^ 0. 

Theorem 1. Let ¥ be a field of characteristic different from 2, let a and b be 
two elements of¥, with a ^ b. Then, the curve 

ii.a,b ■■ XiaY"^ - Z^) = YibX"^ - Z^) 

is isomorphic over F to the elliptic curve given by the Weierstrass equation 

V'^W = U{U + aW){U + bW) 

via the transformations Lp{X^ Y, Z) = {U, V, W), where U = bX — aY , V = (b — 
a)Z and W = Y —X . The inverse application is given by ip{U, V, W) = {X, Y, Z), 
with X = U + aW, Y = U + bWetZ = V. 

In affine coordinates, the Huff curve x{ay^ — 1) = y{bx'^ — 1) defined over F is 
isomorphic to the elliptic curvej/^ = x{x + a){x + b) over F. 

Expression of the group law over x{ay^ — 1) = y{bx'^ ~ ^) '• 
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Let y = yi + X{x — xi) = Xx + j2 he the equation of the hne through Pi, 
P2 € Ha^bi^), where A is the slope of the hne through Pi and P2- By the 
equation of the curve, we obtain x{a{Xx + fi)'^ — 1) = (Ax + /i)(6x^ — 1). Let 
S = Pi+P2 = {x3,y3).Then, 



Pl+P2 = 



{xi + X2){ayiy2 + 1) (yi + y2){hxiX2 + 1) 



{hxiX2 + l)(ayij/2 - 1) ' {hxiX2 - l)(ayij/2 + 1) 



Consider now the two points Pi and P2 in projective coordinates, ie. Pi = 
(Xi, Fi, Zi) and P2 = (X2, Y2, Z2), and J7 = O = (0, 0, 1) as the neutral element 
of the group law. Let 5 = Pi + P2 = (X3, Fs, Z3). Then, 

X3 = {X1Z2 + X2Z1) {aYiY2 + Z1Z2) ' {Z1Z2 - 6X1X2) , 
^3 = {Y1Z2 + ^2^1) (6X1X2 + ZiZ2f{ZiZ2 - aYiY2), 
Z3 = (62X2X1 - ZlZ^2){a^Y^yi - ZlZl). 

Let m, s and c be respectively the costs of the multiplication, squaring and 
multiplication by a constant. Let rai = X1X2, m2 = I1I2, ^13 = Z1Z2, ci = 6toi 
et C2 = am2- 

1. m4 = (Xi + Zi)(X2 + Z2) -nil- m3, = {Yi + Zi){Y2 + Z2) -m2-mz 

2. me = (m3 - ci)(m3 + C2), my = [ms + ci)(m3 - C2). 

Therefore, X3 = mim(,{mz + C2), I3 = m5mr{m3 + ci) et Z3 = mem-j. Thus, 
the addition of two points of the curve can be evaluated in 12m + 2c, where 2c 
represent the cost of the multiplications by the two constants a and 6. 

These addition formula; are complete. In other word, they can be used to com- 
pute the point 2P — [x^, y^) for a given point P = {xi,yi). Thus, 

2.Ti(ay2 + i) 2yi(6.T2 + l) 

^3 = 2 , -IN/ — 2 — TT y3 = 



(6,t2 + l)(ay2 - 1) - {bxl-l){ayl + iy 

In projective coordinates, the point 2 can be evaluated in 7m + 5s + 2c when 
working with [7 = O = (0, 0, 1) as neutral element 



2.2 Backgrounds on the Tate pairing 

Definition 1. Let Gi and G2 be finite abelian groups written additively, and let 
Gz be a multiplicatively written finite group. A cryptographic pairing is a map 

e : C?i X G2 ^ G3 

that satisfies the following properties: 

1. it is non-degenerate, ie for allQ P £ Gi, there is a Q € G2 with e(P, Q) ^ 
1, and for allO ^ Q & G2, there is a P £ Gi with e(P, Q) ^ 1 
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2. it is bilinear, ie for all Pi, P2 £ Gi and for all Qi,Q2 £ G2 we have 

e{Pi+P2,Qi) = e(Pi,gi)e(P2,Qi) 

e(Pi,Qi + Q2) = e(Pi,Qi)e(Pi,g2) 

3. it is efficiently computable 

An important property that is used in most applications and that follows im- 
mediately from the bihnearity is e([a]P, [b\Q) = e{P,QY^ = e([6]P, [a\Q) for all 
a, 6 e Z and for all (P, Q) G Gi x G2. 

The Tate pairing can be defined on an ordinary abelian variety. It induces a 
pairing on the r-torsion subgroup of the abelian variety for a prime order r. 
Let E be an elliptic curve defined over a finite field of characteristic p. Let 
n = =ffE and r > 5 be a prime different from p and r\n. 

Definition 2. The smallest integer k with r\{q'' — 1) is called the embedding 
degree of E with respect to r 

Remark 1. If A; is the smallest integer with r\{q'^ ^1)) ttit: order of q modulo r 
is k. Furthermore, the smallest field extension of that contains the group fir 
of all r-th roots of unity is F^t . 

Let E be an elliptic curve over Fg of characteristic p > 3 given by a short 
Weierstrass equation 

E -.y^ =x^ + ax + b a,6eFg. 

Let r 7^ p be a prime such that r\n = i^E{¥g) and let fc > 1 be the embedding 
degree of E with respect to r. 

Lemma 1. Let D = np{P) G Div{E). Then D is a principal divisor if 
PeE 

and only if deg{D) = and [np](P) = 0, where the latter sum describes the 

PeE 

addition on E. 

Definition 3. Let E be an elliptic curve over a finite field F^ of characteristic 
p and let r ^ p be a prime dividing n = i^E{¥). Let k be the embedding degree 
of E with respect to r. The reduced Tate pairing is a map 

Br : E{¥g)[r] x E{¥g,)[r] ^ Mr C F,. 

(P,Q)^/.,pPq)(«'-i)/'- 

where P G iJ(Fg)[r] is ¥q-rational point of order dividing r represented by a 

divisor Dp, and Q £ E{¥qk)[r] is ¥qk -rational point represented by a divisor Dq 
such that its support is disjoint from the support of Dp, and fr,p G ¥qk{E) is a 
function on E with dvv{fr,p) = rDp. 
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When computing fr.p{Q) , ie when rDp is supposed to be the divisor of the 
function fr.p, we can choose Dp = (P) — (O). The divisor Dq ^ [Q) — (O) 
needs to have a support disjoint from {0,P}. To achieve that, one may choose 
a suitable point S G E{¥gk ) and represent Dq as {Q + S) — S. 
We need to compute fr^p having divisor div(/r,p) = r'(P) — r{0). Lemma [1] 
shows that for m G Z, the divisor m{P) — ([m]P) — (m — 1)(0) is principal, such 
that there exists a function fm,p G ^^^(i?) with div(/m_p) = m{P) — {[m]P) — 
ijn — 1)(0). Since P is a r-torsion point, we see that div(/r,p) = r{P) — r{0), 
and fr.p is a function we are looking for. 

Definition 4. Given m G Z and P e E{¥gk)[r], a function fm,p G ^q''{E) with 
divisor div(/„j.p) = m{P) — ([rnjP) — (m — 1)(0) is called a Miller function 

Lemma 2. Let Pi,P2 £ E. Let lp^.P2 be the homogeneous polynomial defining 
the line through Pi and P2, being the tangent to the curve if Pi = P2. The 
function Lp-^^p^ ~ Ip-^.p^lX^Y, Z)/Z has the divisor 

div(ip„pj = (Pi) + (P2) + (-(Pi + P2)) - 3(0). 

Lemma 3. Let Pi = {xi,yi), P2 = {x2,y2), Q = {xQ,yQ) G E. For Pi ^ -P2 

define 

X ^ / (2/2 - 2/i)/(a;2 - xi) ifPi^P2, 
\{3xl+a)/{2yi) if Pi ^ P2. 

Then, the dehomogenization (^Pi.Pg)* oflp-^^p^ evaluated at Q is given by 

{ipuP2)*{Q) = HxQ - a;i) + (yi - yq)- 

If Pi = -P2, then ilp^,P2)*{Q) = xq - xi. 

Lemma 4. LetPi,P2 EE. The function gp-^^p^ Lp-^^.p^/ Lp^^p.^_(^p^j^_p.^^ has 
the divisor 

div(gp,,pj = (Pi) + (P2) -{P1 + P2)- (O). 

The function g can be used to compute the Miller function recursively as shown 
in the next lemma. 

Lemma 5. The Miller function /,._p can be chosen such that fi^p ~ 1 and such 
that for mi, m2 G Z, it holds 

fm,i+m2,P ~ /mi,p/m2,P.9[mi]P,[m2]Pi 
Jmim2.P — J mi.pJ m2,[mi]P — J m2,P J i'ni,[m2]P 

Remark 2. Special cases from the previous lemma 
Let TO G Z, then 

1- /m+l.P ~ fm,Pg[m\P,P, 

2- /2m,P = fm,p9[m\P,[m]P, 

3. f-m,P = {fm,Pg[m]P, -~[m]P)-'^ . 
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Algorithm 1 Miller's Algorithm 
1: R^P,f^l 
2: for (i = / - 1; I > 0; I ) do 

3: f^f-9R.R{Q) 

4: Ri~2R 

5: if {ri = 1) then 

6: f^f-gR,p{Q) 

7: R^R + P 

8: end if 
9: end for 
10: return /("'-i)/'- 



Note that /o.p = 1 for all P e i? and gPi.Pa = 1 if Pi or P2 equals the point 
at infinity O. These formulas show that any function frn,p can be computed 
recursively as a product line functions. The functions are defined over the field 
of definition of P. 

Lemma 6. Let P e £'(Fq)[r] and Q e E{¥gk)[r], <^ E{¥q), then the reduced 
Tate pairing can be computed as er{P,Q) — fr,p{Q)^'' ^1)/^. 

The above algorithm, well known as the Miller's algorithm, can be used to com- 
pute fvAQ) for P e E{¥q)[r] and Q G E{Vqk)[r] and r = (n, . . . , ro)2 up 
to irrelevant factors lying a proper subfield of F^t. Since fc > 1, these factors are 
mapped to 1 by the final exponentiation. 

Remark 3. Note that the functions 5p,p and 5p,p in steps 3 and 6 are fractions 
and that the inversions in each step of the loop can be postponed until the end 
of the loop by keeping track of numerator and denominator separately. 

3 Pairing computation on generalized Huff curves 

The Tate pairing computation on the classic Huff curves was introduced by Joye 
et al. in |15) . The main contribution of this paper is the extension of the previous 
results on the generalized Huff curves. 

Huff curves can be represented as plane cubics. Thus, we can apply directly 
the Miller Algorithm to compute pairings on these curves. It's quite usual to 
represent the point Q G E{¥qk)\E{¥q) in affine coordinates since, in the Miller 
algorithm, the function is always evaluated at the same point. Let Q = {y, z) = 
(1 : y : z). Suppose the embedding degree k is even, then Q can be written in 
the form Q = (yg, zqo), with yq, zq G F^fc/2, F^t = ¥yk/2{a), where a is a non 
quadratic residue in ¥^k/2. 

Let P,R€ E(¥g) and Ir^p be the rational function vanishing on the line through 
P and R. We have 
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where A is the {y, 2:)-slope of the line through P and R. Then, the divisor of Ir^p 
is given by 

div(Zfl,p) = + P + T - (1 : : 0) - (0 : 1 : 0) - (a : 6 : 0) 

where is T is the third intersection of the line through P and R with the curve. 
If U is the neutral element of the group law (+), then the function gn^p can be 
expressed as 

Ir,p 
9r,p = -, 

l'R+P,U 

Let [/ = O = (0 : : 1) be the neutral element of the addition law. Then, for all 

Q = iVQ^ZQa), we have 

Ir+p,o =yQ - -rr-^ G ¥ k/2 

-^R+P 

This quantity is equal to 1 after the final exponentiation in the Miller algorithm 
since it belongs to a proper sub-field of F^t . That means it can be canceled in 
computations. In the same context, divisions by Xp can be omitted, and the 

denominator in the expression of A too, ie. if A = — , then the function gp^p can 
be evaluated as 

9rAQ) = i^Qa-Xp - Zp)B - {yXp - Yp)A 

We are now ready to give explicit and precise formulae for the addition and dou- 
bling steps of each round of the Miller loop. 

Addition step. In the addition step, the {y, z)-slopc of line through the points 
P={Xp:Yp: Zp) and R={Xr:Yr: Zr) is given by 

_ ZpXp — ZpXp 
~ YrXp - YpXp ■ 

Therefore, the function to be evaluated is of the form 

QrAQ) = (zQa.Xp - Zp){YrXp - YrXr) - {yq.Xp - Yp){ZrXp - ZrXr). 

Since the points P and Q remain constant during the execution of the Miller 
loop, the values depending on P and Q, ie. y'g = yq-Xp — Yp and z'q = zqa.Xp 
can be precomputed. Thus, each addition step of the Miller algorithm requires 
the calculation of i? + P (an addition over E{¥q)), the evaluation of gR,p{Q), 
and the calculation of f-gR,p{Q) (a multiplication over the field extension F^fe). 
R + P can be evaluated in 12m + 2c using the steps Mi, M2, ■ ■ ■ , M7. 
Let mg = {Xr + YrXXp - Yp) and mg = [Xp + Zp){Zr - Xr). Then, 

gR,p{Q) = - Zp){ms -1711+ - yQimg + mi - ma), 

where the first term require (| + l)m, and the second one |m. With the final 
multiplication in F^k, the cost of an addition step is IM + {k + 15)m + 2c. 
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Doubling step. In the doubling step, the slope of the tangent line to the curve 
at the point R — : Yr : Zji) is given by 

^ aZl - 2hYnZR - ^ A 
bYl~2aYRZR~Xl B- 

Therefore, 

9rm{Q) = ZQa.XnB - ZrB - vq.XrA + YrA. 

In the Miller algorithm, we need to compute the point 2R, which can be done 
in 7m + 5s + 2c. A and B can be evaluated in Im, namely YrZh since the 
other terms are already computed with the doubling operation. Therefore, the 
function qr^r can be computed in 4m {XrB, ZrB, XrA and YrA), |m for 
zqu.XrB and |m for hq.XrA. Thus, the doubling step require a total cost of 
IM + IS + (fc + 12)m + 5s + 2c, by taking in account the multiplication, the 
squaring which complete the duplication. 

Conclusion 

We have successfully extended the Tate pairing computation on generalized Huff 
curves introduced by Wu and Feng. Our results are not far from the standard 
case since the the multiplication by constant are often negligible. That makes it 
as efficient as the standard Tate pairing computation on Huff curves proposed 
by Joye, Tibouchi and Vergnaud. The next step is to use use result to design 
efficient cryptographic protocols such as ID-base protocols. 
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